[Archivesspace_Users_Group] Observation when in production mode of ArchivesSpace

Duckett, Brian (NIH/NLM) [C] brian.duckett at nih.gov
Fri Jun 17 17:00:12 EDT 2022


Hello,

During a deployment a few weeks ago, our internal security team identified ladle and mizuno as security risks due to the log4j vulnerability announced last year. We were able to successfully remove ladle, deploy and ArchivesSpace v3.1.1 started and ran successfully. When attempting the same with the removal of Mizuno we encountered an error and attempting to simply remove log4j from Mizuno, we received the following:

Gem Load Error is: Unknown or missing jar: log4j

Through some investigation we found that the contents of the Mizuno repository changed, yet a new version of the gem was not published. We replaced the contents of the Mizuno gem with the contents of the main branch of the repository and all was well. Essentially we wanted to bring to your attention, removing Mizuno and running ArchivesSpace v3.1.1 in production mode will cause the application to throw a runtime error, which is not congruent with the post from December<https://archivesspace.org/archives/7226?utm_source=rss&utm_medium=rss&utm_campaign=archivesspace-update-december-2021> addressing the log4j issue.

Thank you,

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20220617/eac3588f/attachment.html>


More information about the Archivesspace_Users_Group mailing list